US 20050251856 A1
A security platform connected to a private network permits access to the private network from a public network (such as the Internet) through a variety of mechanisms. A reverse proxy system operating as part of the security platform provides access to web-enabled applications from a browser connected to the public network. The reverse proxy rewrites requests and responses so that the browser directs requests to the reverse proxy, from which the requests can be directed to the appropriate server on the public network or the private network. Responses come back to the reverse proxy, and are then forwarded to the browser. An SSL tunneling system permits fat clients to access the private network through an SSL connection. The SSL tunneling system employs a server component operating on the security platform and components downloaded to the client computer from the security platform. The client components include a control component operating in a browser window, a server-proxy component that sets up secure communications with the private network, and an adapter component between the server-proxy and the fat client. The adapter component operates in kernel space. Data is directed from the fat client to the adapter, and then forwarded to the server-proxy; data from the server-proxy is directed to the adapter, and then forwarded to the fat client. Security is provided through the use of multiple authentication realms, each of which provides a set of authentication stages for authenticating users and providing client integrity validation.
1. A security gateway for accessing a network comprising:
a plurality of realms, each realm being associated with a group of users and having one or more authentication stages for the associated group of users, each authentication stage requiring one or more sets of credentials and/or client integrity validations; and
a policy module having one or more policy servers collectively coupled to at least one of the realms, the policy module specifying one or more subgroups each having a specific access attribute within at least one of the plurality of realms.
2. The security gateway according to
3. The security gateway according to
4. The security gateway according to
5. The security gateway according to
6. The security gateway according to
7. The security gateway according to
8. The security gateway according to
9. The security platform according to
10. The security gateway according to
11. The security gateway according to
12. The security gateway according to
13. The security gateway according to
14. The security gateway according to
15. The security gateway according to
16. A computer program product, residing on a computer-readable medium, for use in accessing a network, the computer program product comprising instructions for causing a computer to:
establish a plurality of realms, each realm to be associated with a group of users and having one or more authentication stages for the associated group of users, each authentication stage requiring one or more sets of credentials and/or client integrity validations; and
establish one or more policies specifying one or more subgroups each having a specific access attribute within at least one of the plurality of realms.
This invention relates to systems and methods for providing secure virtual private network access to web-enabled and/or other applications.
Users who are away from their office have a need to be in communication with their office networks. They may want access to electronic mail, files, web-based, and other applications. They may desire to access their office networks through a company laptop, a home personal computer (PC), or some other device. Some of the prior methods for accessing an office electronically and an apparatus and methods for providing a secure virtual office environment are described in published U.S. patent application No. U.S. 2003/0191799 A1 (published Oct. 9, 2003), the contents of which are incorporated by reference.
In order to reduce the information technology resources needed to provide remote access to office applications and files, it may be desirable to provide access through the Internet. In doing so, it can be important that the access generally be secure so that only authorized persons have access to the office computer facilities, and that access to particular applications be restricted to those persons who should have access.
In addition, it may be desirable to permit users to access their office networks using a conventional web browser and without needing to install specialized client applications on the system being used to access the office network.
Traffic over an office intranet typically is not encrypted, as the intranet is considered secure and encryption increases the overhead on the system. However, communications over a public network are not secure. The same communications that need not be encrypted when they take place over an office intranet often are desired to be encrypted if they take place over the Internet or some other public network.
In one aspect, a reverse proxy system, operating as part of a security platform, provides a gateway between an office (or other) private network and a public network, such as the Internet. A user accesses the office network using, for example, a web browser and HTTP-based communications. In some embodiments, SSL is used to provide encrypted communications between the browser and the reverse proxy gateway system. The reverse proxy system decrypts communications from the browser and forwards them, unencrypted, onto the private network and to a web server.
The reverse proxy rewrites the requests from the browser to the web server so that, from the web server's perspective, the requests appear to come from the reverse proxy. Similarly, requests from the browser for links to web servers external to the office network are directed to the reverse proxy, where they are rewritten and forwarded to the outside web server as if originating from the reverse proxy.
In another aspect, an SSL tunneling system provides access by a fat client application to a private network from a public network, such as the Internet. The SSL tunnel may be implemented on a client computer using a control component operating in a browser window, a server-proxy component operating in user space, and an adapter component operating in kernel space. These components may be downloaded from the security platform. The server-proxy establishes an SSL connection between the client and the security platform, and a PPP link with the security platform. Communications from a fat client application are routed through the adapter to the server-proxy. The server-proxy encapsulates the packets within PPP frames. The frames are encrypted and sent through an SSL tunnel to the security platform, where they are decrypted and routed to the appropriate server. Packets from the private network are sent using the SSL connection. The server-proxy decrypts the data, extracts the IP packets from the PPP frames, and delivers the packets to the adapter. The adapter then sends the data to the client application.
In another aspect, security is provided through the use of multiple authentication realms. Each realm provides a set of conditions under which a group of users can login to their office network. These conditions can be based on authentication requirements, to authenticate a user, and policies that define security permissions for authenticated users. The authentication requirements are implemented through a series of one or more authentication stages, which may include one or more client integrity validation steps. A realm may have an associated policy, which establishes inclusions and/or exclusions based on a user's membership in specific groups.
Reverse Proxy System
As shown in
Platform 120 includes platform server 160, which communicates with client 110 and server child 165. Platform 120 may have one or more instances of server child 165 (although only one is shown, for clarity). Each server child 165 includes translation engine module 170 and proxy module 175. Proxy module 175 communicates with remote servers 130. In this example, client 110 is an HTTP client and servers 130 and 160 are HTTP servers.
Platform 120 also includes policy daemon 180, authentication daemon 185, and state daemon 190. Each of these daemons communicates with translation engine module 170.
Generally, platform server 160 receives requests from client 110 and forwards them to translation engine module 170. Translation engine 170 validates the request against policy daemon 180, manages the user's cookies using state daemon 190, translates the request to the appropriate form for the appropriate remote server 130, and forwards the validated and translated requests to proxy module 175. Proxy module 175 creates an outgoing connection to a remote server 130.
Similarly, the response from a remote server 130 returns through proxy module 175 to translation engine 170. Translation engine 170 translates the response and forwards the response to platform server 160. Platform server 160 then sends the response back to client 110.
In some embodiments, translation engine 170 is stream-oriented, allowing processing of an HTTP request and response as it is being sent. In other embodiments, the entire response is downloaded before being translated by translation engine 170 and sent to client 110.
Translation engine 170 is shown in more detail in
Authentication server interface 210 communicates with authentication daemon 185 (typically on an authentication server) to determine whether a given user is authorized to make the request. In some embodiments, the entire request is forwarded from request handler 205 to authentication server 210. In other embodiments, only the user's authentication token if forwarded. In still other embodiments, the authentication server interface may be omitted.
In some embodiments, any request received by translation engine 170 is authorized against authentication daemon 185. The authorization may include a resource access request to authorize access to the reverse proxy system. If the request is not authorized, an error message is sent back to client 110 indicating the cause of failure, such as from being logged out as a result of session timeout. Thus, for example, if the user is idle for an extended period of time, subsequent requests may fail from the user having been logged out automatically. Authentication daemon 185 may use conventional authentication processes. Alternatively, authentication daemon 185 may include one or more of the features described below.
Policy subsystem interface 215 is used to determine if a request to a specific remote server should be fulfilled, by communicating with policy daemon 180. Whereas authentication daemon 185 determines if the requesting user is authorized to make requests to the reverse proxy system, policy daemon 180 determines if the request is permitted to be forwarded to the requested remote server 130. For example, the response to a request to access a particular service or particular data may be based on the particular user, the IP address of the client, the port number being used, and/or the security of the request, such as whether the request is through HTTP or HTTPS.
In some embodiments, request handler 205 sends the entire set of request headers to policy daemon 180, in other embodiments request handler 205 sends only specific request headers. As an example, policy daemon 180 may inspect the request line and hostname request header to determine if the policy subsystem should authorize the request.
Request handler 205 also creates headers that will be sent to HTTP client interface 225. The header creation process is described in more detail below.
Once the request is validated (as described above) and any header manipulation has been performed, HTTP client interface 225 is used to move the request to proxy module 175. In some embodiments using an Apache server, this occurs through a chain of Apache filters. Proxy module 175 originates the request to remote server 130.
The response from the remote server is forwarded from HTTP client interface 225 to response handler 230. Response handler 230 is responsible for rewriting the content to be returned to client 110. The data stream from the remote server passes through the content handler and is inspected for rewriting.
In some embodiments, the appropriate content handler can be assigned based on a MIME type supplied by the remote server. However, the server may mis-identify the MIME type. Therefore, in some embodiments, the translation engine will analyze the content itself, looking for common signatures in the response content to detect common content types, such as HTML. From this analysis, the translation engine can provide for rewriting of the response based on the actual MIME type, rather than the type supplied by the remote server.
In embodiments in which the interface is stream oriented, the content handler determines how it reads the file handle. For example, an HTML content handler may read relatively small chunks, such as 4K chunks, and a Java content handler may read the entire applet before translating it.
Further details of the translation logic are provided below.
As indicated above, proxy module 175 receives a request after authorization occurs and the headers have been rewritten. Proxy module 175 creates the outgoing connection to remote server 130, sends the request, reads the response, and forwards the response back to translation engine 170. In addition, proxy module 175 maintains a persistent connection to remote server 130, establishes an SSL connection with the remote server if appropriate (such as when the remote server is on public network 140), and in some embodiments handles SSL resumption for outgoing connections when an SSL connection is resumed for the incoming connection from client 110.
The incoming connection to the proxy module and the outgoing connection are associated, at least implicitly. In some embodiments, termination of the incoming connection will tear down the outgoing connection. In these embodiments, more than one connecting client may not use the same connection to a remote server, which can increase startup time, but may also provide more security.
In some embodiments, proxy module 175 maintains a connection to only one remote server at a time. In these examples, the following interactions may occur.
1. Client A connects to proxy B with the intent of accessing web server C.
2. Proxy B opens a Transmission Control Protocol (TCP) connection to web server C.
3. Proxy B sends the HTTP request to web server C.
4. Web server C responds to proxy B.
5. Proxy B sends the response back to Client A.
6. Client A sends an HTTP request across the same connection to proxy B as before (step 1, above), with the intent of accessing web server D.
7. Proxy B drops the connection to web server C (from step 2, above).
8. Proxy B opens a TCP connection to web server D.
From that point, the interactions continue as with the connection between proxy B and web server C.
However, the performance impact may be lessened if proxy module 175 can maintain connections to multiple remote servers at the same time.
An example of operation of translation engine 170 is shown in
In header processing block 308, at step 312 translation engine 170 queries authentication daemon 185 to determine whether the request is authorized. If the request is authorized, processing continues at step 314, with the removal of cookie information from the original request. That information is placed in a cache. If the request is not authorized, translation engine 170 sends an error message (step 390) back to client 110 and the request ends (step 392).
Following the removal and caching of cookie information at step 314, if the request was authorized, translation engine 170 queries policy daemon 180 for whether access to the requested uniform resource locator (URL) is authorized, at step 316. If the requested URL is authorized, translation engine 170 constructs new headers, including cookies, from the data and cached cookie information, at step 320. If the requested URL is not authorized, translation engine 170 sends an error message (step 390) back to client 110 and the request ends (step 392).
Following the construction of new headers, at step 320, the request is sent to proxy module 175, at step 322. Proxy module 175 forwards the request to the appropriate remote server and awaits a response. If proxy module 175 returns an error, translation engine 170 sends an error message back to client 110 and the request ends. If proxy module 175 does not return an error, translation engine 175 checks whether the receive queue is empty (that is, checks for more data) at step 324.
If the queue is not empty, processing returns to step 304 for the receipt of additional data (which may be header information). If all the data for the request has been received (the queue is empty), processing continues within response loop 340 (in
After the response has been translated, translation engine 170 sends the response to client 110 at step 354. If the request type is not registered, the response is sent to client 110 without translation.
After sending the data to the client, if more data is received from proxy module 175 (as tested at step 356), processing resumes at step 342. However, if the response is complete, processing completes at step 392.
The second type of user state information stored in state daemon 190 is data that is expected to survive the entire life of the user session. This may be data that is not stored elsewhere (for example, not stored on a remote server) and thus in this respect state daemon 190 does not act as a cache. Where the information is not stored elsewhere, it is preserved even if the user reaches the limit of state storage, and (unlike the first type of data) is not discarded. This storage can serve as an alternative to storing information at the client. Examples of this second type of state information include web cookies from reverse proxy sessions or temporary client state resulting from execution of “wizard” user interfaces.
In some embodiments, a garbage collector determines what information to delete from the state management storage, based on the age of the content.
If, for example, the state information includes secure information, then the state management daemon may have a permissions-based mechanism to prevent non-authorized processes from manipulating the data. For example, if the policy daemon caches policy information in the state management daemon for a certain user, that user may not make a request to modify that cached data even though that user may otherwise have the ability to modify objects associated with the user's token.
In some embodiments, a user state entry includes one of more of the following. First, a cryptographic hash of the user token who owns the state entry. Second, a cryptographic hash of the user token that is permitted to modify the state entry. This will be the same as the user token if the user is allowed to modify the data. However, if (for example) an administrative process such as the policy subsystem wrote the information, then this second hash would be the hash of the policy server process token. Third, a user state entry may include a timestamp of when the state entry was written into the daemon. This timestamp may be updated if the contents are modified or a separate field may provide a timestamp of when the contents were last modified. Fourth, a user state entry may include a binary data object containing the payload of the state entry. The actual data in some embodiments is not inspected by the state management daemon.
In some embodiments, custom rules can be created for the translation engine. This allows, for example, an administrator to extend the translation engine with the ability to translate new HTML entities or attributes, and improve compatibility with existing applications.
As discussed above, the translation engine is responsible for modifying requests and responses to requests, so that requests are routed to the appropriate remote server(s). Where desired, such as for security reasons, some information may be omitted from what is forwarded to the remote server or what is returned to the client. For example, browser information, such as the HTTP user-agent, or remote server identification information, such as the version of the server, may be omitted.
The translation of HTTP headers falls generally into three categories: reading of request headers to determine for which web server a request is destined; determining which HTTP request headers to forward and which to interpret; and determining which HTTP response headers to forward and which to interpret.
An HTTP request might have the following form:
In this example, the hostname refers to a particular reverse proxy platform, which is not the ultimate or intended destination of the request. Thus, in some embodiments, the Request line is used to determine the intended destination of the request. For example, the payload of a previously downloaded web page could have been modified (as discussed below) so that the subsequent request from the client will have a specially-formatted request line. One such embodiment would involve the postpending of information relating to the identity of the real destination host onto the end of the URL. Using the above example, a translated request might have the following form:
From this form, request handler 205 can determine that the request, although received by the platform's web server, is intended to be sent to www.yahoo.com. Of course, other formats could be used, as long as a registered response handler 230 and the request handler 205 rewrite the payload and interpret the headers in a consistent manner.
As one example for formatting the request line, a URI entity could be preceded with a constant string. For example, the URI:
This formatting can get complex when relative URLs are employed in an HTML document. For example, if an HTML document at
The resulting request received by the request handler would have the form:
As an alternative, relative URLs could remain intact, with information about the host postpended. In this case, the browser could perform relative URL resolution, which could be less computationally expensive. With this example, the relative URL:
Then, the request to the request handler would look like:
Using this form, where resolution of an absolute URL is required, the translation engine will only need to be able to determine which part is the host. Then it can remove the host and add it to the end of the request. For example, the absolute URL:
In addition to translating headers, the translation engine determines which HTTP headers received from the client browser should be passed on to the remote server. Some headers will be terminated by the platform server.
In some embodiments, the translation engine only forwards headers that are recognized and approved for forwarding. If the header is unknown, in these embodiments, it is not forwarded. This can result in a more secure and robust implementation, as unknown headers will not change the behavior of communications between the translation engine and the remote server.
For example, a transfer-encoding header (a hop-by-hop header) may not be forwarded, since it relates only to the session between the client browser and the platform server. In this case, a different transfer encoding can be used for the connection between the platform and the remote server.
As another example, certain headers relating to caching behavior may be sent to the destination remote server, as they may have an effect on the response sent back from the remote server. For example, if the browser specified an “If-Modified-Since” header, it may be beneficial to forward that header to the remote server or else the remote server would resend the entire requested file, regardless of whether it has changed.
The translation engine also determines which HTTP response headers received from the remote server should be passed on to the client browser. In some embodiments, if the header is not recognized, it is not forwarded to the client.
At times, a translation may be corrupted in some manner so that a request for a linked page does not include the correct reference. Accordingly, in some embodiments, the translation engine may use the referrer variable to check or supplement the information provided in the request. For example, a user may first request page 1 of a set of pages from a site and then click on a link from page 1 to page 2 of the set of pages. The referrer variable, included in the request for page 2, will indicate that the prior request was for page 1 at the site. The reference to the referrer variable is likely to be correct, even if the translation of the link to page 2 is not correct, because the user reached page 1. Therefore, by examining the information in the URL portion of the request (which may be a relative path, based on the path to page 1) and the information about the prior page from the referrer variable, the translation engine is able to determine the correct path to the link.
In addition to translating headers, the translation engine translates HTML code in an HTTP response, and reformats URI references as discussed above. In some embodiments, the translation engine scans for certain character sequences, in order to identify URIs for substitution.
In one approach, when inspecting an HTML tag, the translation engine translates parameters known to require translation and passes through all other parameters unmodified. In another approach, the translation engine translates parameters known to require translation, leaves parameters alone if they are recognized but known not to require translation, and drops all other parameters.
The first of these approaches provides relatively greater compatibility and fewer computations, but can be less secure because it allows for transmission of data that is not recognized. The second approach may tend to be more secure but may be more prone to compatibility problems. If a tag or attribute is not recognized, it will not be sent back to the browser. The second approach also may require more extensive development, and in some embodiments would include a greater ability to add to the set of recognized tags and attributes. A system could employ one or both of these approaches, and allow an administrator to configure the approach.
In an embodiment of the first approach, the translation method looks for particular tags to translate. If a tag is recognized as requiring translation, it is translated. If not, it is sent as-is. For example, the following HTML code:
would be translated to:
In this example, the “a” tag's “href” attribute was translated by the engine. Neither the “someattribute” attribute nor the “unknown1” tag are translated because they are not in the dictionary of things to translate. These tags are passed to the browser where, (in this simple example) if the browser interpreted them, the platform cookie could be compromised and sent to a third party server, allowing impersonation of the user.
In an embodiment of the second approach, the translation engine inspects each tag. A dictionary of known tags is maintained, containing not just tags that require translation but also tags that are known not to require translation. If the tag is known to require translation, the translation is performed. If the tag is known not to require translation, no translation is performed. If the tag is not in the dictionary, the tag is discarded entirely, and not sent to the user browser.
For example, the following HTML code:
would be translated to:
In this example, the “unknowntag1” tag is not recognized in the platform's tag dictionary and is not sent to the client. From a security perspective, because the unrecognized tag could contain insecure content, this may be preferred.
A similar rule applies, in this example, to tag attributes. The dictionary knows which attributes are associated with a given tag. For example, the anchor tag <a> can contain the known attributes charset, cords, href, hreflang, name, rel, rev, shape, target, type, idle, class, title, style, dir, lang, tabindex, and accesskey. If the attribute is not in the list, it is excluded. This can be helpful in cases where malformed or obscure attributes are present, which are often the target of exploit code. For example, the HTML code:
would be translated to:
The unknown attribute has been removed. This approach also makes it less likely that malformed input will be fed to the client, since only properly formatted HTML will be sent back to the client.
In some cases, there may be specific objects in an HTML file that should not be translated because it is desired that the reverse proxy not access the referenced URL or because accessing the URL through the reverse proxy will cause an error. For example, downloading an update from a web site may require the web site to know the actual location of the browser. In this case, it would be preferable if the web site were accessed directly, and not through the reverse proxy. Typically, the URL in such a case will be the value following a particular HTML tag name. Consequently, in some embodiments, the translation engine is configured so that the values for certain HTML tag names are not translated.
Once the translation engine receives text to translate, in some embodiments it locates the relevant keywords on which to operate. These keywords may be responsible for references to URLs or cookie manipulation. Each of these properties is replaced with a function call.
When the function is called, the object type is checked and if it is a type associated with a property that requires translation, the translation occurs. An example convention for function names is:
In some embodiments, the translation engine will determine what objects are tied to given attributes, and whether a given object type is one of the registered types. The chosen attributes can be tested against different browsers, with attributes chosen that are unique to a given object and provided consistently in the relevant browsers.
For example, the code:
could be translated to:
The request also updates the real cookie stored in the state management daemon. This can be done, for example, by creating an image object and setting the “src” property to a specially formed URL. This URL includes instructions to the platform to modify the cookie contents. Or, the cookie can be updated by setting the cookie properties with instructions such that the next request sent to the web server will update the internal state management store, as discussed above. On the next request, the reverse proxy also resets the cookie contents to contain only the user's authentication token.
In some embodiments, in order to accommodate Unicode, the translation engine may convert Unicode codepoints to their ASCII equivalent before the analysis.
Java code is represented in a binary format, sometime called “Java bytecode,” which can be more difficult to translate than the standard text that makes up HTML. Multiple pieces of Java code can be packaged into a single archive. These archives typically are referred to as JARs (Java ARchives) when used in Netscape/Sun implementations, and CABs (Cabinets) when accessed from Microsoft Internet Explorer. In some embodiments, the translation engine is able to read and create archives in both of these formats.
Generally, the Java translation subsystem of the translation engine includes four components, an applet rewriter, a signer component, a transport component, and a transport policy component. However, it should be understood that in some embodiments, one or more components may be combined or omitted, as appropriate.
The applet rewriter is within the translation engine. It rewrites the actual Java code and handles packaging of CAB and JAR files. The applet rewriter receives the original archive, unpacks any classes from it, rewrites the classes, and then repackages the archive.
The signer component also is within the translation engine. It takes a repackaged archive file from the applet rewriter component, and attaches a valid digital signature to the archive. In some embodiments, the digital signature is provided by a certificate issuer from a valid certificate authority, such as Verisign or Thawte. The name on the certificate (certificate subject) may be the entity that runs the reverse proxy platform, rather than the entity that provides the reverse proxy platform, in cases where these are different entities.
Once the rewritten applet is downloaded to the client browser, it will attempt to connect to the reverse proxy platform instead of the real destination server (a remote server). This may involve the use of Java sockets, URL classes, DNS resolution requests, or datagram sockets among other methods. Encryption may be provided by the secure sockets layer (SSL) protocol over port 443, in some embodiments, so the traffic appears to be standard HTTPS traffic to firewalls between the connecting client and the reverse proxy platform. The transport component is responsible for terminating the encrypted connection, decrypting it, and forwarding the data onto the remote server. The connecting client validates the SSL certificate offered by the transport component to perform server authentication. The transport component may use the same certificate as the platform web server.
In some embodiments, the reverse proxy platform distinguishes between different traffic types making use of the same destination server port. This practice may assist in the traversal of firewalls between connecting clients and the security platform, as those proxies or firewalls will interpret the traffic as HTTP over SSL. As one example of a way to distinguish different traffic types, a unique value can be present in the SSL ciphersuite field, which provides a hint to the server as to the content type. As another example, the SSL data stream can be decrypted, and the beginning content of the decrypted stream can be inspected to determine the traffic type. Once the traffic type is known, the traffic can be forwarded to the appropriate subprocess within the platform. Other methods also may be used to determine the type of traffic.
The transport policy component authorizes new connection requests coming into the transport component. This may involve two functions. First, the transport policy component authenticates the connecting user. This ensures that the connection is coming from a valid user of the reverse proxy platform who has reached a fully-authenticated state. All other connection attempts are denied. Second, the transport policy component checks the destination IP address and port to determine if the connection is allowed. This prevents, for example, an authenticated user of the platform from accessing servers on the private network that the user is not authorized to access.
An example of the interactions is depicted in
Client 502 then sends a request (528) to proxy 504 for the Java Applet. Proxy 504 sends a request (530) for the applet to remote server 510. Remote server 510 returns (532) the applet to proxy 504. Proxy 504 sends a request (534) to Java Applet Rewriting Module (JARM rewriter) 506, within the reverse proxy. Rewriter 506 rewrites (or retrieves from cache) the rewritten applet (536) and returns it to proxy 504. Proxy 504 then sends the rewritten applet (538) to client 502.
The applet then requests (540) a connection to remote private server 512, which goes to JARM transport daemon 508 (within the transport component). Transport daemon 508 authorizes the request and establishes a TCP connection to the real destination (542), which in this example is private server 512.
Subsequently, data transfers between the applet at the client and the private server take place through transport daemon 508, as shown in data transfers (544) between client 502 and transport daemon 508, and traffic (546) between transport daemon 508 and server 512.
An applet rewriting process for sockets is depicted in
A rewritten applet is shown in
In this example, the connections and communications include constructor/connect 645 from applet 635 to rewritten socket 640; the establishment of an SSL session and the direct stage of the control phase 648, from rewritten socket 640 to socket 610; the back stage of the control phase 650, from socket 610 to rewritten socket 640; the connect with the remote server 655 from rewritten socket 640 to socket 610; call methods and the sending of data 660 from applet 635 to rewritten socket 640; the sending of data through the secure SSL channel 665, from rewritten socket 640 to socket 610; the destructor/disconnect call 670, from applet 635 to rewritten socket 640; and the closing of the secure channel 675, from rewritten socket 640 to socket 610.
An applet rewriting process for an applet that uses URLs is shown in
The URL classes are provided by the Java Virtual Machine (JVM), and are not rewritten in the same way that user downloadable code can be rewritten. As shown in
Downloaded cabinet files also may be rewritten. When cabinet files are downloaded, version numbers are embedded in the file. When the client loads the HTML that hosts the cabinet, the HTML contains version information indicating the version of the cabinet to use. The client browser compares the version in the HTML against the version in any cabinets currently installed. If they are the same, the version of the cabinet already installed is used. Otherwise, the browser makes a request to download the cabinet from the server.
In some embodiments, the version number stored inside the cabinet file is augmented when rewriting the cabinet, so that an existing unwritten cabinet does not get used when a rewritten cabinet should be used. This may involve concatenating the original version number of the cabinet with an arbitrary version number indicating the rewritten version of the cabinet. The combination of the two version numbers uniquely identifies the cabinet so that that the rewritten cabinet is used in place of the original, even though both may be the same version of the original code. Similarly, the translation engine responsible for rewriting the HTML that hosts the cabinet file rewrites any references to the version of the cabinet to reflect the new versioning convention.
Some applications include Active-X controls that contain PARAM directives that contain URLs. These Active-X controls may be difficult or impossible to translate. As an alternative to translating the Active-X controls, the translation engine may be configured to rewrite specific PARAM values, allowing those Active-X controls to use translated URLs without requiring the Active-X control to be translated.
The use of the referrer variable, discussed above with respect to when a translation is corrupted, may not work with URLs identified through the use of Active-X controls. For example, one request may be for page 1 of a set of pages at a site. From the use of an active-X component, page 2 may be identified. However, from the browser's perspective, page 1 may appear to be from platform server 160 and therefore page 2 may be identified based on the URL of the platform server. By first identifying certain URLs that will be referenced using Active-X controls, the translation engine may be configured to rewrite a URL identifying a specific page on the platform server to the corresponding page at, for example, the remote server.
The translation engine also manages cookies that are sent and received from the remote servers. Cookies that would be sent from the remote server to the client are held by the reverse proxy. In some embodiments, the reverse proxy sends just a single cookie to the client, which identifies the user's session but has no sensitive information from within the network. It is a session cookie that is not stored in the client browser's cookie cache. This reduces the risk that cookies left on a non-secure client will be accessed by an unauthorized user.
In general, cookie interactions with the reverse proxy involve the following steps, as shown in
In some embodiments, in order to manage cookies within the reverse proxy, a complete or at least a substantial implementation of RFC 2109 (“HTTP State Management Mechanism”) is provided within the reverse proxy platform. This includes the ability to compare domains, enforce cookie expiration, determine whether one path is inclusive of another, and perform generic parsing of Cookie and Set-Cookie headers.
Upon receiving a set-cookie header from a remote server, the reverse proxy in some embodiments will reject the proposed cookie if: the value for the Path attribute is not a prefix of the request-URI; the value for the Domain attribute contains no embedded dots or does not start with a dot; the value for the request-host does not domain-match the Domain attribute; or the request-host is a fully-qualified domain name (FQDN) (not an IP address) and has the form HD, where D is the value of the Domain attribute, and H is a string that contains one or more dots.
If the cookie is considered to be valid, the reverse proxy determines whether the cookie replaces an already existing cookie, or if the cookie is unique. This determination may be made based on the name, domain, and path attributes of a proposed cookie.
Generally, a cookie that qualifies from the domain and path attributes is forwarded to the remote server. This includes multiple cookies with the same name, which may have different paths. Cookies are ordered based on the specificity of the path, with cookies with more specific paths coming before cookies with more general paths.
In some instances, browser cookies can be shared between multiple windows or frame instances. In some embodiments, it may be useful or necessary to keep virtualized cookies in synchronization between the various windows. This can be done using the XMLHTTPRequest facility provided, for example, with Microsoft Internet Explorer or Mozilla. This allows updates to cookies and requests for cookies to be sent to the reverse proxy subsystem. In some embodiments, as with other features, this capability can be enabled or disabled based on, for example, the impact on performance.
In some embodiments, network and user security functions may be implemented at least in part through the use of authentication realms. As shown in
Each realm includes one or more stages of authentication, which are provided through the authentication servers. The group of users that login through a particular realm may have multiple sets of credentials. Each stage may require one or more sets of credentials in order for a user to be authenticated at that stage.
By establishing different groups of users, each group may have a different set of authentication mechanisms. For example, in one realm a user may use both SecurID (a trademark of RSA Security, Inc. of Bedford, Mass.) and Server Message Block (SMB) authentication; in a second realm, a user may use just SMB authentication; and in a third realm, a user may use internal authentication. Other forms of authentication may be used, including (but not limited to) Kerberos and RADIUS. Authentication also may be based, at least in part, on the client having a recognized SSL certificate, on the client's source IP address, or on an appropriate hardware authentication token.
In some embodiments, a user must successfully authenticate against all stages for that user's realm in order to be permitted access to the private network. Failure to authenticate properly against any given stage immediately terminates the authentication session, and no additional stages of authentication are revealed to the user.
For each realm, a policy server may be defined. The policy server populates an internal data storage 850 with group membership information. The group membership information provides specific inclusion (that is, access to) or exclusion from a service. That is, a group may be provided access to the private network generally or to particular services within the private network, or a group may be excluded from the private network or particular services within the private network.
An authentication stage can provide client integrity validation instead of (or in addition to) authentication of a user. Client integrity checking involves the examination of a connecting workstation to determine if it is permitted to connect to the platform Client integrity tests can include checks for viruses, keystroke loggers, Trojan horses, the presence of security bug fixes, and other potential client (and possibly server) problems. Client integrity validation can apply to all realms (and in some embodiments, before any credentials are disclosed), and/or can occur as an authentication stage within a realm. The client integrity requirements can be varied by realm and can occur at any stage within a chain of authentication stages. In some embodiments, if a client integrity check fails, the authentication terminates and the user is not provided access. In other embodiments, if a client integrity check fails, a user is permitted to access a service to obtain a software update, patch, or tool to correct the failure. For example, the user may obtain an update to anti-virus software, a tool to remove viruses or other rogue software, or a security update.
An example of a set of authentication realms is shown in
Once the user selects a realm, the user must pass through all the stages of authentication for that realm, including any client integrity validation stages defined for that realm. In this case, Realm 1 includes a client integrity validation stage 950, and then an SMB authentication stage 955. Realm 2 includes a SecurID authentication stage 960, then a client integrity validation stage 965 (which may include the same or different steps from client integrity validation stage 950), then an SMB authentication stage 970. Realm 3 includes just an internal authentication stage 980.
As illustrated in
A realm also may have multiple client integrity validation stages, such as from different vendors. The client integrity validation stages can be chained, like any other realm stages. Thus, for example, one vendor may provide Trojan Horse scanning at one stage, and another vendor may provide a firewall examination at another stage.
In some embodiments, the realm stage authentication modules may enter into a conversation with an arbitrary number of prompts. This can provide increased flexibility, because the authentication infrastructure does not need advanced knowledge of what the individual authentication modules will require from the user.
For example, a SecurID authentication mechanism may be provided the username, and then prompt for the PIN code. Once this is provided, the SecurID mechanism permits access. However, the SecurID module could prompt for additional information, such as the next PIN code or a new PIN. The SecurID module can do this without the authentication subsystem having any knowledge of the details of this conversation. The authentication subsystem acts as an intermediary between the client and the authentication module, and is told by the authentication module whether the authentication succeeded or failed.
An example of an authentication conversation is shown in
In this example, authentication module 1015 returns to authentication subsystem 1010 a prompt to “Enter Next PIN” (at step 1050), which authentication subsystem 1010 sends to client 1005 (at step 1055). The user enters the second PIN, which client 1005 sends to authentication subsystem 1010 (at step 1060). The authentication subsystem 1010 forwards this second PIN to the authentication module 1015 (at step 1065). The user having now successfully been authenticated in this example, authentication module 1015 responds to authentication subsystem 1010 that authentication is successful (at step 1070). Authentication subsystem 1010 then allows client 1005 access to the next stage or, if authentication is complete, to the private network, at step 1075.
If a user successfully authenticates, the authentication subsystem queries the policy server for group memberships. The policy server accesses the data storage and returns a list of groups of which the user is a member. Individual applications may be tied to specific groups, permitting the authentication subsystem to make a determination as to which applications the user can access.
In some embodiments, policy server 840 is not queried until all stages of authentication are completed for a realm. In these embodiments, policy server 840 does not add an entry for the user to associate the user with the relevant groups in data storage 850 until the connecting user reaches a fully authenticated state. The group information retrieved is used to determine to which applications the user is permitted access on the platform. For example, a user being a member of the group “engineering” may result in the user being permitted access to certain applications that normally are not available to all connecting users. Policy server 840 and data storage 850 may be synchronized with an external policy store, such as one associated with policy daemon 180, described above in connection with the reverse proxy system.
During authentication, authentication subsystem 815 can restrict logon capabilities to a user based on whether the user is a member of a particular group on the policy server. For example, a user may need to be a member of a “remote access” group to login, even though the user has valid credentials on the authentication server.
Returning to the example in
In some embodiments, these login-related groups may define which applications a user is permitted to use. In other embodiments, these login-related policies are independent of the policy checking performed to determine which applications a user is permitted to use.
Following successful authentication, authentication realm 820 may cache one or more passwords or other sets of credentials required by one or more of the authentication stages for all or a portion of the user session. For example, the automatic authentication may occur with a forms-based authentication using an HTML form normally presented to the user. Or, as another example, the automatic authentication may occur with HTTP authentication, such as defined in the Internet Engineering Task Force RFC 2617. When desired, this allows the user to authenticate with certain backend servers without re-entering the credentials.
One or more of the stages for a realm may be post-authentication stages, which apply after a user is fully authenticated and provided access to the network and services. Post-authentication stages provide additional security or other functions. For example, a post-authentication stage may automatically log out a user after a predetermined period of inactivity. Or, a post-authentication stage may require a user periodically to reauthenticate with one or more of the authentication stages for that realm. In addition, a post-authentication stage may restrict services a user can access during certain time periods. For example, some subgroups may not be permitted to access certain services during peak periods.
Authentication subsystem 815 may serve as a gateway to one network or to multiple, unrelated networks, which may serve unrelated customers. Where the subsystem provides a gateway to multiple networks, the gateway may provide a first group of users (corresponding, for example, to a first realm) access to a first network and deny the first group of users access to a second network; and provide a second group of users (corresponding, for example, to a second realm) access to the second network while denying them access to the first network. This allows each customer to maintain security over its network. The networks may be physically distinct or virtual local networks.
Access to the private network also may be provided through an SSL tunnel between a fat client application and the private network, through the security platform. In some embodiments, this is achieved through a virtual private network (VPN) client module installed on the client and a VPN server module installed on the security platform. As shown in
VPN adapter 1105 includes a Network Driver Interface Specification (NDIS) or other driver and operates in kernel space. VPN adapter 1105 communicates with host IP stack 1120 on one side to send (receive) packets to (from) fat client application 1125. On the other side, VPN adapter 1105 communicates with server-proxy 1110. Although only one fat client application is shown in
Server-proxy 1110 serves as an application proxy entity for fat clients and forwards packets between local clients and the remote intranet. Communications with the remote intranet use in some embodiments an SSL session, which server-proxy 1110 establishes, between server-proxy 1110 and the VPN server (discussed below) on the security platform. Server-proxy 1110 is a transparent proxy, so that from the client's perspective, it is talking directly to the actual remote server. In some embodiments, to reduce the risk that a server will pose as the security platform, the first time the client connects to a new server it pops up an alert message indicating the name of the server to which it is connecting, so that the user can allow or reject the connection.
In some embodiments, server-proxy 1110 includes control entity 1130, Point-to-Point Protocol (PPP) module 1135, Secure Sockets Layer (SSL) module 1140, and dynamic host configuration protocol (DHCP) module 1155.
Control entity 1130 monitors the components and threads, and shuts down server-proxy 1110 if any problems are detected.
PPP module 1135 establishes a PPP link with the VPN server at the remote LAN, so that from the client's perspective the fat client is on the local LAN. In some embodiments, BSD PPP is used in PPP module 1135, running as an independent thread.
SSL module 1140 provides a secure tunnel by using SSL to encrypt traffic between the client and the VPN server. In some embodiments, SSL module 1140 uses an OpenSSL library that includes libeay32.dll and ssleay32.dll. In order to reduce the overall size of SSL module 1135 in some embodiments, the SSL libraries are recompiled without some encryption algorithms. This reduced-size SSL library may support RC4, DES, and 3DES for the symmetric cipher; MD5 and SHA1 for the digest; and RSA, DSA, and DH for the public key cipher. Alternatively, other sets of the algorithms could be used, as appropriate.
Server-proxy 1110 receives IP packets from VPN adapter 1105, encapsulates those packets within PPP frames in PPP module 1135, and forwards the packets to SSL module 1140 for delivery to the VPN server and remote LAN. In particular, SSL module 1140 encrypts the packets and forwards the encrypted packets to IP stack 1120. Routing component 1145 within IP stack 1120 directs these outgoing packets to Ethernet adapter 1150, for forwarding to the remote LAN. Specifically, in some embodiments, those packets are delivered to a VPN server at a security platform, such as the security platform discussed above. In some embodiments, Ethernet adapter 1150 is part of a network interface card (NIC). Alternatively, other network communication equipment could be used in place of Ethernet adapter 1150. Fat client application 1125 can use Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), or other communication protocols to communicate through IP stack 1120 with the server.
In the reverse direction, SSL module 1140 receives from IP stack 1120 encrypted incoming IP packets destined for local clients (e.g., fat client 1125). SSL module 1140 decrypts the packets and passes the decrypted packets to PPP module 1135. PPP module 1135 extracts the IP packets from the PPP frames and delivers the packets to VPN adapter 1105, which in turn uses IP stack 1120 to send the packets to the fat client.
Control component 1115 installs VPN adapter 1105 (if it is not already installed), starts server-proxy 1110 and monitors its health, and exchanges heartbeat messages with the server-proxy. In some embodiments, control component 1115 operates in a browser window, such as Active-X running in the Microsoft Internet Explorer browser, or a Java or native Netscape plug-in running in a Netscape browser. Active-X control may use, for example, Active Template Library (ATL) 2.0 and be packaged as a DLL.
Both control component 1115 and server-proxy 1110 check for the heartbeat messages. If the heartbeat messages are missing, server-proxy 1110 shuts down the PPP connection and itself, and informs VPN adapter 1105 that it is shutting down and disconnecting. Control component 1115, if the heartbeat messages are missing, shuts itself down and sends a shutdown message to the server-proxy. Control component 1115 also sends a shutdown message to server-proxy 1115 when the user logs out or closes the browser.
To start a fat client session, the user logs into the security platform and accesses a link that is selected to startup the VPN client. In response, the security platform sends back an HTML page containing a cabinet (CAB) file, a JAR file, or some other archive file that contains the control component, the server-proxy, and the VPN adapter.
In particular, in some embodiments, the HTML page includes an object tag with the class ID of the archive file, a codebase referring to the archive file to be downloaded and its version, and a parameter tag containing a URL to the archive and its input parameters. The input parameters include in some embodiments, a token ID, the server to which to connect, the port number, and the type of connection to use. The HTML page may also include additional or other parameters to configure the client.
In the case of a cabinet file, the browser checks if the referred file is already extracted by checking in the windows registry for entry of the class ID of the DLL compressed in the cabinet file. If the browser does not find an entry in the registry for the cabinet file or the version of the entry is older than the one mentioned in the HTML page, the cabinet file is downloaded. The new cabinet file self-extracts and places the executable files, such as the VPN adapter (driver), PPP DLL, SSL libraries, server-proxy executable, and Active-X DLL in directories. In some embodiments, an Active-X component installs the VPN adapter. The VPN adapter is registered in disabled mode. In some embodiments with some operating systems, the user may then need to reboot the machine if the VPN adapter has been modified.
When the HTML page is fully downloaded, the browser loads, for example, the Active-X DLL with the parameters.
Once loaded, control component 1115 sends a startup message to server-proxy 1110 containing the token and other parameters. Server-proxy 1110 establishes a session (e.g., an SSL session) with the VPN server, and passes the user token to the VPN server. The VPN server can use that information for authentication. Server-proxy 1110 may also warn the user, such as with a message in a pop-up window identifying the server to which the user is connecting, and ask whether the user wants to continue. This helps allow the user to detect if a connection is being made to a rogue server and if so to terminate the session.
Server-proxy 1110 also starts the other components of the VPN client. First, via control entity 1130, server-proxy 1110 spawns three threads: a PPP thread, a Transmit thread, and a Receive thread. In some embodiments, server-proxy 1110 initially starts these threads in a suspended mode, until an authenticated session with the security platform has been established. The PPP thread handles the PPP functionality including state machines, timers, autonomous packet generation, and event generation. On startup, PPP thread performs an initialization.
The PPP thread initiates a PPP connection with a PPP peer at the VPN server. Session parameters (such as compression) are negotiated during the session setup. The PPP thread also receives its IP address on the remote subnet and primary and secondary remote domain name system (DNS) server addresses as part of the PPP negotiation. Primary and secondary Windows Internet Naming Service (WINS) addresses also can be sent.
After completion of the PPP connection with the VPN server, server-proxy 1110 enables VPN adapter 1105. Server-proxy 1110 sends to VPN adapter 1105 a media connect flag. VPN adapter 1105 registers as the interface for the remote subnet. The DNS server associated with the remote subnet is prioritized as the first server in the DNS list. In some embodiments, VPN adapter 1105 informs the operating system (e.g., Microsoft Windows) once it is running, and the operating system sends a dynamic host configuration protocol (DHCP) request to VPN adapter 1105 to get the IP address and DNS server addresses. VPN adapter 1105 sends the request to server-proxy 1110. DHCP server component 1155 within server-proxy 1110 receives the packet and responds with IP and DNS server addresses that the server-proxy received from the VPN server module (as discussed above). VPN adapter 1105 sends those addresses to the operating system. This allows applications to resolve addresses for the corporate network without modifying the static host file, by using addresses that the operating system obtains from the corporate DNS server.
Data flow can then start between fat client 1125 and the remote LAN. The Transmit thread handles packets received from fat clients via VPN adapter 1105, and the Receive thread handles packets received from the security platform and remote LAN.
DNS requests and data packets from fat client 1125 destined for the remote LAN are directed to VPN adapter 1105. VPN adapter 1105 passes the packets to server-proxy 1110, which encapsulates them into PPP frames (using PPP module 1135). The frames are encrypted using SSL module 1140 and sent to the security platform and remote LAN over the SSL tunnel.
In the reverse direction, packets are received through the SSL session and PPP module 1135 extracts the packets from the PPP frames. Control packets are handled within the PPP module. Data packets are passed to VPN adapter 1105. VPN adapter 1105 then delivers the data packets to the appropriate fat client application 1125 via IP stack 1120.
Inter-thread communication and control flow is illustrated in
From a control flow perspective, packets from fat client application are directed to VPN adapter 1220 (corresponding to VPN adapter 1105 in
In some embodiments, VPN adapter 1220 creates shared memory 1260 and both the VPN adapter and the server-proxy get a handle to the shared memory through object manager 1285. In other embodiments, server-proxy 1205 creates the shared memory, which VPN adapter 1220 can open. Security is provided through permissions set using access control lists at the time of creation and mapping time, so that only server-proxy 1205 and VPN adapter 1220 can access shared memory 1260. In some embodiments, shared memory 1260 uses checksums for data protection. The modules or entities writing to shared memory 1260 add a checksum to the data and the modules or entities reading from shared memory check the checksum.
VPN adapter 1220 includes two queues for receiving and sending packets in the shared memory. The VPN adapter places a packet going from the kernel to the server-proxy in the send queue. The server-proxy places a packet going to the VPN adapter in the receive queue. Each queue is configured as a circular buffer, with a read pointer and a write pointer, which the VPN adapter and the server-proxy use to determine where to read and write.
Polling timer 1280 is registered with VPN adapter 1220 during driver initialization. In some embodiments, in case VPN adapter 1220 misses an event indicating that packets are available from server-proxy 1205, polling timer 1280 polls every 100 ms for packets to be sent to IP stack 1250.
In operation, VPN adapter 1220 queues outgoing packets from VPN adapter 1220 to server-proxy 1205 and sends an event to server-proxy 1205, as notification that the packet is ready for transmission. Transmit thread 1225 receives the event, takes the packet from shared memory, and calls a PPP function to create the PPP frames. PPP thread 1230, using PPP event and timer handler 1235 (together part of PPP module 1240) provides PPP control functions and supplies internal PPP packets.
Once the PPP frames are created, Transmit thread 1225 calls an SSL send function (part of SSL module 1245) to encrypt the PPP frames and send the SSL encrypted data to IP stack 1250, where the data is sent to network interface card (NIC) 1255 and then over a public network to the VPN server on the security platform and on to the appropriate server on the remote LAN (private network).
Data coming in from the remote LAN (via the secure SSL tunnel) is received by NIC 1255 and passed to IP stack 1250, and then to SSL module 1245, where the data is decrypted. Receive thread 1275 waits for packets to be received by SSL module 1245, then calls a PPP function to remove the PPP encapsulation. Receive thread 1275 then writes the received data to shared memory 1260 and raises an event for VPN adapter 1220. VPN adapter responds to the event by reading the data from shared memory and sending it to fat client application 1265 via NDIS layer 1270 and IP stack 1250.
As illustrated in
Either the server-proxy or the security platform can terminate the PPP connection. For example, the PPP link tear down can be initiated by either side if there is no activity for a pre-defined period of time or a timer expires. If the link is down, activity on the Transmit thread (when the server-proxy receives a packet from the client application) causes the control entity to generate a event for the PPP module to bring up the link. In response, the VPN server can allocate either the same IP address as previously allocated or a different IP address.
In the case of the same IP address, the data flow path discussed above is established and the PPP link is established transparent to the user and the client application. If the VPN server established a different IP address, when the server-proxy enables the VPN adapter by raising the media connected flag, the resultant DHCP request from the operating system for the previous IP address is Negative Acknowledged (“NAKed”) by the server-proxy and the new IP address is provided to the subsequent DHCP request. The transmit queue is flushed, to remove data packets with the old IP address. The server-proxy may also notify the user, such as with a message in a pop-up window stating “VPN connection re-established. Please refresh your application.” This can account for the case where the client application has timed out.
In some embodiments, if an error condition disrupts the PPP connection, the server-proxy will attempt to recover the failed component, and then restore the connection to the VPN server. Some examples of error conditions include, for example: one or more of the PPP, Transmit, and Receive threads goes down; physical connectivity is broken (for example, if a network cable plug is out); or the TCP connection is terminated. Alternatively, one or more of these error conditions could cause the VPN client to shut down.
In some embodiments, the server-proxy and its components do not shut down unless and until the user logs out or closes the browser.
On the server side, as shown in
Demultiplexer process 1430 routes the incoming SSL streams to the appropriate server, such as child process 1415, the reverse proxy system (described above), or web server 1435. In order to identify the appropriate destination server, in some embodiments the SSL hello message is used to insert a particular private cipher for traffic intended for the VPN server and/or for traffic intended for other servers. Demultiplexer 1430 checks the private cipher and routes the incoming SSL stream accordingly. In some embodiments, if the incoming SSL stream does not include a recognized private cipher, the stream is routed to web server 1435. Alternatively, the SSL data stream can be decrypted, and the beginning content of the decrypted stream inspected to determine the traffic type. Once the traffic type is known, the traffic can be forwarded to the appropriate subprocess. Of course, other mechanisms also may be used to determine the type of traffic.
For SSL tunnel connections, server process 1410 maintains a current connection status table that includes the child process ID, the source address, and other status information as desired. Server process 1410 also monitors each child process, stores message information in the current connection status table, and manages global resources, such as an IP address pool. The monitoring includes an exchange of heartbeat messages between server process 1410 and each child process 1415.
The configuration of server process 1410 may include whether to enable the VPN server, the IP address to be used by the server for each PPP link, an IP address range to assign to remote users, whether to apply access restrictions to users, and a default idle timer, which establishes the length of time a session can remain idle (in terms of IP traffic) before it is terminated. Also, the server process may reference a policy subsystem (such as the policy subsystem described above), which provides a list of firewall rules required to grant or deny access to an application, a server, or a subnetwork. In some embodiments, server process 1410 will attempt to use the same IP address for each connection to a particular client, and if that IP address is not available will send the oldest unused address.
Child process 1415 terminates the SSL connection, determines any user specific requirements or restrictions for the connection and access to the private network (such as changing the default idle timer), generates pseudo terminal 1420, and spawns PPPD process 1425. On creation, child process 1415 sets up a message queue for heartbeat messages between server process 1410 and the child process, and listens on the socket for the SSL connection for data from the client. In some embodiments, child process 1415 has access to the certificate and private key of web server 1435, so that it can respond to the client's initial SSL message (the SSL hello message).
In some embodiments, child process 1415 initially receives from the client the user's token and a session type. Child process 1415 authenticates the user then sends a connect message to server process 1410 indicating the user and requesting an IP address. Once an address has been assigned, child process 1415 calls the configuration daemon (discussed below) to set up the firewall and any other restrictions. If child process 1415 authenticates the user, PPPD process 1425 may not need to authenticate the user, which may simplify the link setup process. Alternatively (or in addition), PPPD process 1425 may authenticate the user.
Once the user environment has been established, child process 1415 sets up a master/slave pseudo terminal pair (mpty 1440 and spty 1445) and starts PPPD process 1425 with the slave pty (which appears as a serial interface) and the client and local IP addresses assigned to the PPPD process as arguments. To communicate with the corporate network, PPPD process 1425 communicates with IP layer 1450, from which data passes for example over an Ethernet to the corporate network.
An example of data flow in setting up a PPP link is shown in
Child process 1510 starts PPPD at step 1555, and sends the client the IP address the client will use and the IP address the server will use, at step 1560. Child process 1510 then determines the interface for the PPP connection at step 1565. Child process 1510 makes another call to configuration daemon 1515, passing the user token and assigned PPP interface as parameters, at step 1570, as a user policy application request. Configuration daemon 1515 obtains the user's firewall rules from a data store, formats them (if necessary), and applies them to the firewall, at step 1575. Configuration daemon 1515 may also make changes to the routing table. Configuration daemon 1515 then sends a user policy response to child process 1510, at step 1580. If the response indicates that the client is permitted the desired access, the firewall will now allow through data packets. Child process 1510 informs client 1505 of the connection.
In the split mode, the VPN server sends back to the client subnets that the user can access once the client is authenticated. For example, a user may be able to access a corporate network using subnet 192.168.1.0, an operations network using subnet 192.168.2.0, and a marketing network using subnet 192.168.3.0. The server-proxy at the client updates the routing table to recognize the networks identified, so that traffic intended for these addresses is routed through the VPN adapter and back to the server and the private network.
An example of a set of filter tables for policy rules for a firewall is shown in
In some embodiments, the VPN firewall rules are prioritized in terms of application policies (that is, policies for allowing a user to access an application), then network deny policies (that is, policies that determine whether to deny a user access to a network or portion of a network), then network allow policies (that is, policies that determine whether to allow a user access to a network or portion of a network).
In some embodiments, the routing to the server can occur in a “split mode” or a “default routing mode.” In a split mode, outgoing traffic corresponding to the identified addresses is sent to the VPN adapter, and other traffic goes to the Internet. In a default routing mode, all outgoing traffic goes to the VPN adapter to be routed through the private intranet. The default routing mode can be more secure, by providing that all traffic be routed through the protections provided by the private network.
At times, the browser at the computer accessing the SSL tunnel has proxy server settings, requiring outgoing traffic to be directed through one or more local proxy servers. For example, the local proxy settings may provide for one proxy server for HTTP traffic and a second proxy server for FTP or some other protocol. In these cases, the VPN client redirects traffic intended for the VPN server to the appropriate proxy server, requesting the proxy server to forward the request to the VPN server. If the user were on the private network, the user might also be subject to proxy server settings, requiring some or all traffic to be routed through one or more proxy servers on the private network. When the user is accessing the network through the SSL tunnel, it may be desired that the user continue to have certain traffic routed through the proxy server on the private network. From the perspective of the user at the VPN client, the proxy server on the private network is a remote proxy server.
When the user first accesses the security platform to start the VPN client, the browser redirects the traffic to the local proxy server. Upon starting the VPN session, control component 1115 obtains the appropriate remote proxy server settings and checks the browser settings for any local proxy server requirements. Control component 1115 then consolidates the local and remote proxy server settings, and rewrites the browser's proxy settings accordingly. For example, the proxy rules may provide that local traffic go through IP address 10.1.1.100, may have no proxy requirement for traffic intended for addresses on the private network (e.g., of the form 192.168.1.xxx), and may provide that all other traffic (e.g., traffic going over the Internet) be directed through a remote proxy server at 192.168.1.100. Now, the VPN client knows (from checking the browser's proxy settings) that local traffic should be redirected to 10.1.1.100; traffic intended for 192.168.1.xxx should be redirected to the local proxy server with a request that it be forwarded to the appropriate address; and all other traffic should be redirected to 192.168.1.100. VPN adapter 1105, which routes the traffic destined for the VPN server, will redirect that traffic first to the local proxy server, to comply with the local proxy rules.
The combined proxy rules can be as simple or complex as desired, and can use a split routing mode or a default routing mode. Although explained above in terms of subnets and particular IP addresses, the rules also can be based on a domain or sub-domain, or on the protocol being used (for example, HTTP or FTP). For example, attempts to access specified URLs, or to access anything other than specified URLs, can be redirected to one or more particular proxies.
Because the browser's proxy settings have been rewritten, control component 1115 restores those settings when the SSL tunnel session ends. Also, control component sets flags so that, if the computer crashes, the browser's original proxy settings will be restored when the computer reboots.
The present invention may be implemented in a variety of forms, such as in software or firmware, running on a general purpose computer or a specialized device. The code can be provided in any machine-readable medium, including magnetic or optical disk, or in memory. In some embodiments, the security platform runs on Linux PC and is deployed on a local area network at a customer premises. Alternatively, the platform may run under other operating systems.
While there have been shown and described examples of the present invention, it will be readily apparent to those skilled in the art that various changes and modifications may be made without departing from the scope of the invention as defined by the following claims. Accordingly, the invention is limited only by the following claims and equivalents thereto.